Android should embrace a Windows-style security update model

Google fixes Android's security problems relatively quickly, but the OEMs and carriers are painfully slow to implement them. Isn't it time for Google to take a page out of Microsoft's playbook and implement regular direct-to-user security updates?

When it comes to security, Android 2013 is a lot like Windows in the 1990s and much of the 2000s: A mess. Still, Microsoft got one thing right with security early on. Starting with Windows 98, Microsoft released regular direct-to-user security updates with Patch Tuesday. It's high time Google followed Microsoft's lead and start implementing its own direct-to-user security patches.

True, you'd need to ignore Android security basics to pick up an infected program, but there's a security fool born every minute. Besides, while today most Android malware infects devices via third-party Android app stores and questionable malware-laden Web sites, it's only a matter of time before hackers adopt more subtle ways to introduce malware into Android devices.

On top of that, only 37.9 percent of Android users are running 4.1 and higher. Over 60 percent are running earlier, more vulnerable, versions of Android. In addition, just like Windows, there are always new Android security holes being discovered and exploited even in the latest and newest versions.

Security is a never-ending battle.

While Microsoft's answer has its problems--for every Patch Tuesday, there's an Exploit Wednesday--at least Microsoft's approach ensures that careful users will be protected from most security holes regardless of whether they're running a Dell laptop, an HP PC, or a Lenovo ThinkPad.

Google needs to take the same approach. Just like Microsoft releases patches for XP from Windows 8.1, Google needs to push security patches from at least Android 2.1. Eclair, which still has 1.4 percent of the market, to market-leading Android 4.1 and up.

Microsoft doesn't depend on the big PC vendors to deliver patches and Google shouldn't either. As this latest episode shows, neither the OEMs nor the carriers can be trusted to keep their users secure.

Google needs to sit its Android OEM customers down and tell them that since they can't, or won't, deliver security patches, it will do it for them. Microsoft did it with Acer, Asus, and all the other PC vendors, Google must do it with HTC, Samsung, and all its smartphone and tablet partners.

The alternative is for Android's users to be permanently vulnerable to both old, long-fixed security holes and the latest malware.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.